What steps will reproduce the problem?
Sign a request using OAuthSignatureMethod_HMAC_SHA1 and examine the value
of sResult before it is returned from
OAuthSignatureMethod_HMAC_SHA1.buildSignature()
What is the expected output? What do you see instead?
currently the library is not url encoding the basestring before signing it.
for example:
POST&http://api.domain.com/login/request&oauth_consumer_key=111222333&oauth_nonc
e=833C7083155C6DAD6E874796B77414670D447FDB&oauth_signature_method=HMAC-SHA1&oaut
h_timestamp=1218443250&oauth_version=1.0
The expected base string should be:
POST&http%3A%2F%2Fapi.domain.com%2Flogin%2Frequest&format%3Djson%26oauth_consume
r_key%3D111222333%26oauth_nonce%3DE4A29C58631066226567BA13165E626D067760CA%26oau
th_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1218443373%26oauth_version%3
D1.0
What version of the product are you using? On what operating system?
rev: 626
Please provide any additional information below.
Below is an updated buildSignature function that will correctly url encode
each portion of the base string. Please note the use of
java.net.URLEncoder to do the url encoding and NOT coldfusion's built in
urlEncodedFormat() function. urlEncodedFormat will (incorrectly?) encode
".", "-" and "_" to their % values causing the signature to be invalid.
<!--- builds a SHA-1 signature --->
<cffunction name="buildSignature" access="public" returntype="string">
<cfargument name="oRequest" required="true" type="OAuthRequest">
<cfargument name="oConsumer" required="true" type="OAuthConsumer">
<cfargument name="oToken" required="true" type="OAuthToken">
<cfset var encoder = createObject("java", "java.net.URLEncoder") />
<cfset var aSignature = ArrayNew(1)>
<cfset var sKey = "">
<cfset var sResult = "">
<cfset var sHashed = "">
<cfset var digest = "">
<cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getNormalizedHttpMethod()))>
<cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getNormalizedHttpURL()))>
<cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getSignableParameters()))>
<cfset sKey = arguments.oConsumer.getSecret() & "&">
<cfset sKey = sKey & arguments.oToken.getSecret()>
<cfset sResult = ArrayToList(aSignature, "&")>
<cfset sHashed = hmac_sha1(
signKey = sKey,
signMessage = sResult)>
<cfreturn sHashed>
</cffunction>
Original issue reported on code.google.com by d1rtym0n...@gmail.com on 11 Aug 2008 at 8:37
Original issue reported on code.google.com by
d1rtym0n...@gmail.com
on 11 Aug 2008 at 8:37